System and method for providing transactional security for an end-user device

ABSTRACT

A network system comprises a transaction network operative to provide a transaction with an end user; a trusted source of a security mechanism (e.g., a start/stop trigger module, an application lockout module, a network/file I/O control module, a trusted driver manager, a keystrokes generator driver, a keystrokes deletion hook, and/or a transaction network VPN manager) for at least partially protecting an end-user device from malicious code operative thereon that attempts to capture confidential data presented during the transaction, the security mechanism being maintained by a party other than the end user; and an agent for providing the security mechanism to the end-user device to protect the end-user device during the transaction

CROSS REFERENCE TO RELATED APPLICATIONS

This application is a divisional of and claims benefit of utility patentapplication Ser. No. 12/111,777, filed Apr. 29, 2008; a continuation ofand claims benefit of utility patent application Ser. No. 11/694,476,filed Mar. 30, 2007, by inventor, Wee Tuck Teo, entitled: “System andMethod for Providing Transactional Security For An End-User Device;provisional patent application Ser. No. 60/787,457, entitled “TrustedNetwork Transaction,” filed on March 30, 2006, by inventor Wee Tuck Teo;and provisional patent application Ser. No. 60/814,828 entitled “EndPoint Remote Data Exchange Security,” filed on Jun. 19, 2006, byinventor Wee Tuck Teo.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialwhich is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever.

TECHNICAL FIELD

This invention relates generally to network systems, and moreparticularly provides a system and method for providing transactionalsecurity to an end-user device.

BACKGROUND

Security is a key concern during online transactions. CommercialInternet transactions, e.g., Internet banking, credit card purchases,etc., are only as secure as the weakest link. Traditional securitysolutions focus on server-side infrastructure security, e.g., HTTPS website, two-factor authentication, etc. While the server side has securityexpert management and maintenance, the end user's computers do not havesuch benefit.

Current online transaction risks increase due to poor end user securitypractices. The current solution to end user security tends to focus onend user education, e.g., training end users to recognize phishingattempts and ignore spoofed emails, and installing end-user securitysoftware to clean up and secure end-user devices from malicious code,e.g., viruses, spyware, adware, keyloggers, backdoors, Trojans, etc.Solving the end-user device vulnerabilities using the above approach isdependent on end-user efforts, e.g., regular installation of securitysoftware updates such as signature files, regular execution of scans,regular application of the security patches, etc.

Additionally, the generally open nature of the Internet makes sharedInternet resources, e.g., DNS servers, intermediate routers, etc.,susceptible to web site hijacking. Shared Internet resources are notmanaged by web site owners or end users, making securing these sharedresources outside the control of the stakeholders.

A system and method that facilitates protection of an end-user deviceare needed.

SUMMARY

According to one embodiment, instead of ensuring that an end-user deviceis permanently secure, which requires ongoing security management,embodiments of the invention ensure that the end-user device is secureonly during a transaction, e.g., an online transaction. This reducesend-user security management overhead. For example, an end-user devicemay be infected with keyloggers or remote backdoors during normaloperation. However, according to embodiments of the invention, thesethreats need only be disabled during the transaction. According toanother embodiment, instead of depending on an end user to manage thesecurity software, software that enables a trusted network transaction(TNT) environment is managed and provided by a trusted source thatprovides the security software or security policy on demand. Forexample, the security software or security policy may bedelivered/pushed from a transaction site, from a service provider site(e.g., the end user's Internet service provider, the transaction site'ssecurity provider, an independent service provider, or the like) ontothe end-user device. According to yet another embodiment, the securitysoftware delivered/pushed onto an end-user device may removedependencies on shared Internet resources. For example, the IP addressof a destination web or VPN server may be provided directly to theend-user device to determine or force a new connection over the Internetwith the destination web or VPN server. Yet another embodiment securesdata exchange by ensuring that confidential data cannot be permanentlycaptured by malicious software residing on an end-user device, or thatconfidential data captured cannot be sent or misdirected to untrustedremote sites. These and other TNT mechanisms (security engines, securityprofiles, and/or the like) can be deployed independently or in differentcombinations.

According to one embodiment, the present invention provides a networksystem comprising a transaction network operative to provide atransaction with an end user; a trusted source of a security mechanismfor at lest partially protecting an end-user device from malicious codeoperative thereon that attempts to capture confidential data presentedduring the transaction, the security mechanism being maintained by aparty other than the end user; and an agent for providing the securitymechanism to (e.g., installing or configuring the security mechanism on)the end-user device so that the appropriate security mechanism for theexpected transaction protects the end-user device during thetransaction.

The transaction network may provide a banking site and/or a gaming site.The trusted source may reside on an ISP network, SAS(software-as-a-service) operator network or on the transaction network.The trusted source and the transaction network may be managed by thesame entity. The security mechanism any include a security engine and/ora security profile. The security mechanism may include a start/stoptrigger module for controlling when to initiate one or more aspects ofthe security mechanism and when to deactivate the one or more aspects ofthe security mechanism; an application lockout module for suspending atleast one application not needed to effect the transaction; afile/network I/O control module for disabling at least one file ornetwork operation during the transaction; a trusted driver module fordetermining whether a driver, e.g., a keyboard driver, on the end-userdevices matches a known trusted driver; a keystrokes generator driverfor generating additional keystrokes to a keystroke pattern generated bythe end user; a keystrokes deletion hook for deleting the additionalkeystrokes generated by the keystrokes generator driver; and/or a VPNmanager capable of establishing a directional or undirectional securetunnel between the end-user device and the transaction network. Thesecurity mechanism may include an IP address to a server within thetransaction network. The agent or another agent may be capable ofremoving the security mechanism upon completion of the transaction. Theagent may include an install agent downloaded from the trusted source,an install agent downloaded from a third-party server, and/or aconnection agent preloaded onto the end-user device.

According to another embodiment, the present invention provides a methodcomprising initiating the security mechanism for a secure transaction byan end user a request with a transaction network providing atransaction; receiving from a trusted source a security mechanism for atleast partially protecting an end-user device from malicious codeoperative thereon that attempts to capture confidential data presentedduring the transaction, the security mechanism being maintained by aparty other than the end user; activating the security mechanism;establishing a secure connection between an end-user device and thetransaction network; and enabling the transaction.

The transaction network may provide a banking site and/or a gaming site.The trusted source may reside on an ISP network, SAS operator network oron the transaction network. The trusted source and the transactionnetwork may be managed by the same entity. The security mechanism mayinclude a security engine and/or a security profile. The securitymechanism may include a start/stop trigger module for controlling whento initiate one or more aspects of the security mechanism and when todeactivate the one or more aspects of the security mechanism; anapplication lockout module for suspending at least one application notneeded to effect the transaction; a file/network I/O control module fordisabling at least one file or network operation during the transaction;a trusted driver module for determining whether a driver, e.g., akeyboard driver, on the end-user device matches a known trusted driver;a keystrokes generator driver for generating additional keystrokes to akeystroke pattern generated by the end user; a keystrokes deletion hookfor deleting the additional keystrokes generated by the keystrokesgenerator driver; and/or a VPN manager capable of establishing a securetunnel between the end-user device and the transaction network. Thesecurity mechanism may include an IP address to a server within thetransaction network. The method may further comprise removing thesecurity mechanism upon completion of the transaction.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a network system operative to secure anend-user device, in accordance with an embodiment of the presentinvention.

FIG. 2 is a block diagram illustrating details of the security engine ofFIG. 1, in accordance with an embodiment of the present invention.

FIG. 3 is a block diagram illustrating a network system operative toeffect a trusted network transaction with an Internet banking portal, inaccordance with an embodiment of the present invention.

FIG. 4 is a block diagram illustrating a network system operative toeffect a trusted network transaction managed by the end user's Internetservice provider, in accordance with an embodiment of the presentinvention.

FIG. 5 is a block diagram illustrating a network system operative toeffect security engine installation, in accordance with an embodiment ofthe present invention.

FIG. 6 is a timing diagram illustrating keyboard-input processing, inaccordance with an embodiment of the present invention.

FIG. 7 is a block diagram illustrating a network system operative toeffect tunnel datagram processing, in accordance with an embodiment ofthe present invention.

FIG. 8 is a screen shot of an end-user device before spyware infectionor spoofing attack.

FIG. 9 is a screen shot of an end-user device after spyware infection.

FIG. 10 is a screen shot of an end-user device with a windowillustrating keylogger infection.

FIG. 11 is a screen shot of an end-user device with a windowillustrating keystroke capture.

FIG. 12 is a screen shot of an end-user device before DNS poisoning.

FIG. 13 is a screen shot of an end-user device with a windowillustrating a legitimate IP address in a DNS cache, before DNSpoisoning.

FIG. 14 is a screen shot of an end-user device after DNS poisoning.

FIG. 15 is a screen shot of an end-user device with a windowillustrating a spoofed IP address in the DNS cache, after DNS poisoning.

FIG. 16 is a screen shot of an end-user device with a browser windowillustrating the spoofed site at the IP address of FIG. 15.

FIG. 17 is a screen shot of an end-user device with a browser windowillustrating the spoofed site and with a security alert.

FIG. 18 is a screen shot of an end-user device with a browser windowillustrating the spoofed site and with a spoofed security certificate.

FIG. 19 is a screen shot of an end-user device after keylogger infectionand DNS poisoning and before protection by embodiments of the invention.

FIG. 20 is a screen shot of an end-user device with a windowillustrating continuous pinging of the Yahoo website to evidence theavailability of outbound communication.

FIG. 21 is a screen shot of an end-user device with a windowillustrating that a download agent, e.g., an ActiveX control, is beingdelivered to the end-user device.

FIG. 22 is a screen shot of an end-user device with a windowillustrating that the download agent is being executed and isestablishing a VPN connection with a trusted source of a securityengine.

FIG. 23 is a screen shot of an end-user device with a windowillustrating that the download agent has established a VPN connectionwith the trusted source, has downloaded and installed the securityengine, and is presenting a button to navigate to the legitimate bankingsite.

FIG. 24 is a screen shot of an end-user device with a windowillustrating that the continuous pinging of the Yahoo website hasstopped, evidencing that outbound communication has been suspended.

FIG. 25 is a screen shot of an end-user device with a windowillustrating the legitimate IP address of the legitimate banking site.

FIG. 26 is a screen shot of an end-user device with a windowillustrating application lockout.

FIG. 27 is a screen shot of an end-user device with a windowillustrating the button to navigate to the legitimate banking site.

FIG. 28 is a screen shot of an end-user device with a browser windowillustrating the legitimate banking site.

FIG. 29 is a screen shot of an end-user device with a windowillustrating the legitimate banking site certificate of the legitimatebanking site.

FIG. 30 is a screen shot of an end-user device with a browser windowillustrating the legitimate banking site and illustrating that thekeylogger is no longer active.

FIG. 31 is a screen shot of an end-user device with a browser windowjust before the security engine is deactivated and/or removed.

FIG. 32 is a screen shot of an end-user device with a windowillustrating that outbound communication has resumed.

FIG. 33 is a screen shot of an end-user device with a windowillustrating resumed vulnerability to the DNS poisoning of the DNScache.

FIG. 34 is a screen shot of an end-user device with a windowillustrating that the security engine protected the memory space fromregistering the browser window.

FIG. 35 is a screen shot of an end-user device with a windowillustrating that the keylogger infection has been neutralized.

DETAILED DESCRIPTION

The following description is provided to enable any person skilled inthe art to make and use the invention and is provided in the context ofa particular application. Various modifications to the embodiments arepossible, and the generic principles defined herein may be applied tothese and other embodiments and applications without departing from thespirit and scope of the invention. Thus, the invention is not intendedto be limited to the embodiments and applications shown, but is to beaccorded the widest scope consistent with the principles, features andteachings disclosed herein.

According to one embodiment, instead of ensuring that an end-user deviceis permanently secure, which requires ongoing security management,embodiments of the invention only ensure that the end-user device issecure during a data sensitive transaction. This reduces end-usersecurity management overhead. For example, an end-user device may beinfected with keyloggers or remote backdoors during normal operation.However, according to embodiments of the invention, these threats needonly be disabled during the transaction. According to anotherembodiment, instead of depending on an end user to manage the securitysoftware, software that enables a trusted network transaction (TNT)environment is managed and provided by a trusted source that providesthe security software on demand. For example, the security software maybe delivered/pushed from an online transaction site, from a serviceprovider site (e.g., the end user's Internet service provider, thetransaction site's security provider, an independent service provider,or the like) onto the end-user device. According to yet anotherembodiment, the security software delivered/pushed onto an end-userdevice may remove dependencies on shared Internet resources. Forexample, the IP address of a destination VPN server may be provideddirectly to the end-user device to force a new connection over theInternet with the destination VPN server. Yet another embodiment securesdata exchange by ensuring that confidential data cannot be permanentlycaptured by malicious software residing on an end-user device, or thatconfidential data captured cannot be sent or misdirected to untrustedremote sites. These and other TNT mechanisms (security engines, securityprofiles, and/or the like) can be deployed independently or in differentcombinations. It will be appreciated that the transaction is notnecessarily an online transaction; it could be a local transaction, e.g.opening an encrypted local file.

FIG. 1 is a block diagram of a network system 100 operative to secure anend-user device 105, in accordance with an embodiment of the presentinvention. The network system 100 includes an end-user device 105coupled via a trusted network 110 to an Internet service provider (ISP)network 115, which is coupled via an untrusted network 112 to atransaction network (e.g., server, network of servers, etc.) 120 (e.g.,bankofamerica.com, amazon.com, ebay.com, etc.) and to another network125.

The end-user device 105 includes a browser 135 (e.g., Microsoft InternetExplorer or Netscape Navigator), an operating system (e.g., MicrosoftVista or Apple Mac OS X) and device drivers 140, and other applications145. The end-user device 105 also includes a connection agent 130capable of communicating with a trusted source of a security mechanism(e.g., security engine and/or security profiles) that secures theend-user device 105 during an online transaction. The end-user device105 may also maintain a local DNS cache 150.

The ISP network 120 includes a server 165, a DNS server/cache 170, andan end-user security controller 175. In another embodiment, componentsof the end-user security controller 175 may be located elsewhere (e.g.,the security engine can be on the trusted network and the securitypolicy can be on the transaction network), such as on the transactionnetwork 120 or on another trusted source. The end-user securitycontroller 175 includes a security engine 177 and security profiles 180for download to the end-user device 105. The security engine 177contains software that sets up a secure data exchange between theend-user device 105 and a remote network application running on atrusted device in a trusted network, e.g., a trusted server on thetransaction network 120. The security profiles 177 contain the rules,definitions and/or identification information for the security engine180 to block unexpected behaviors due to, e.g., viruses, spyware,adware, Trojans, etc. It will be appreciated that the ISP network 120may support multiple transaction networks 120, and may include multiplesecurity controllers 175 (each dedicated to a particular transactionnetwork 120). Alternatively, the ISP network 120 may have a singlesecurity controller 175, and may customize the security engine 177and/or security profiles 180 on the fly for the particular transactionnetwork 120.

It will be appreciated that the security engine 177 and/or securityprofiles 180 may be updated on a regular basis by a security manager.Then, as needed, possibly on an irregular basis as the end user connectsto the ISP network 120 and/or to the transaction network 120, theend-user security controller 175 downloads the security engine 177and/or security profiles 180 to the end-user device 105. In oneembodiment, the security engine 177 and/or security profiles 180 aremaintained only during the transaction session, and are removed uponcompletion of the transaction. In another embodiment, the securityengine 177 and/or security profiles are not removed, and are updatedbefore each new transaction begins. In another embodiment, the securityengine 177 and/or security profiles 180 are operative betweentransactions, and serve to protect the end-user device 105 in thecurrent state until a subsequent transaction request deploys an update.Additional details of the security engine 177 are shown and describedwith reference to FIG. 2.

The transaction network 120 includes at least one web server 185, whichincludes a login script 190. The login script 190 may requestconfidential information from the end user. After download, the securityengine 177 and security profiles 180 protect the confidential data beingprovided by the end user from unintended capture, undesired transfer tothird parties, etc.

The other network 125 includes at least one web server 193, whichincludes a login script 197. In one embodiment, the other network 125may provide a malicious site developed to mimic the site provided bytransaction network 120. In such embodiment, the security engine 177 andsecurity profiles 180 protect the end user from being misdirected to theother network 125, e.g., via DNS poisoning, etc.

In one embodiment, the connection agent 130 is securely delivered andpre-installed on the end-user device 105. Whenever secure data exchangeis required, the connection agent 130 downloads a trusted copy of thesecurity engine 177 and/or security profiles 180. The connection agent130 can be implemented as a standalone executable application, as aplug-in to the browser 135, as a part of the operating system 140, etc.In one embodiment, it is assumed that the connection agent 130 isdelivered, pre-installed and executed on the end-user device 105 withoutmodification. If the connection agent 130 does not come from a trustedsource, then secure data exchange may be compromised.

In one embodiment, the connection agent 130 uses a pre-configured andunchangeable network address to contact a secure network addressresolution service to obtain the IP address of the trusted sourceproviding the security engine 177 and/or security profiles 180. Forexample, an IP address of a trusted DNS security extensions (DNSSEC)server may be embedded in the connection agent 130. The connection agent130 may use this IP address to connect to the DNSSEC server to resolvethe domain name of the trusted source to an IP address. Using thenetwork address of the trusted source, a secure data exchange may beestablished to provide a secure connection to the trusted source,preventing network traffic from the end-user device 105 from beingmisdirected to untrusted sources and guarding against other forms ofnetwork intrusion and attacks. For example, in a TCP/IP network, theconnection agent 130 may use the resolved IP address to connect to thetrusted source, e.g., via a secure tunnel. This connection techniqueensures that the IP address is accurate (e.g., not poisoned by a DNSattack), and assures that the end-user device 105 connects to theintended trusted source. Further, communication protocols employed inthe secure network address resolution service ensures that communicationto and from the end-user device 105 is authenticated, authoritative andaccurate.

With a secure data exchange established, the end-user device 105 candownload the security engine 177 and/or security profiles 180, e.g.,using protocols like HTTP or FTP. The secure tunnel established by theconnection agent 130 ensures that data traffic between the end-userdevice 105 and the trusted source is secure and cannot be compromised,even when insecure protocols like HTTP and FTP are used.

After delivery of the security engine 177 and/or security profiles 180,the end-user device 105 executes the security engine 177. The securityengine 177 effectively secures the end-user device 105, e.g., allows theend-user device 105 to communicate only with trusted sites, preventsother applications 145 running on the end-user device 105 from capturingor sending information, especially to untrusted sites, etc. The user canthen access and interact with the transaction network 120 in confidence.

In another embodiment, the connection agent 130 and security engine 177are pre-loaded onto the end-user device 105. Then, using the techniquesdescribed above to obtain the security engine 177 and/or securityprofiles 180, the connection agent 130 and security engine 177 mayobtain current security profiles 180 to configure and/or operate withthe pre-loaded security engine 177.

It will be appreciated that the connection agent 130 may cooperate withthe end-user security controller 175 to establish a preliminary VPNtunnel (e.g., Microsoft PPTP or L2TP/IPSEC) before obtaining thesecurity engine 177 and/or security profiles 180. This preliminary VPNtunnel ensures that the security engine 177 and/or security profiles 180are not modified or replaced in transit. In one embodiment, thepreliminary VPN tunnel is dynamically established using IP (instead ofDNS) as the destination address. This bypasses the dependency on theInternet-shared DNS service.

It will be further appreciated that security engine 177 may establish atransaction network VPN tunnel (e.g., Microsoft PPTP or L2TP/IPSEC) withthe transaction network 120. This VPN tunnel ensures that confidentialdata communicated with the transaction network 120 is not captured. Inone embodiment, the VPN tunnel is dynamically established using IP(instead of DNS) as the destination address. The IP address can besecurely updated immediately (as compared to using DNS) because the IPaddress can be directly set in the security engine 177 and/or securityprofiles 180 (which is directly managed by the trusted party). Thisbypasses the dependency on the Internet-shared DNS service. In certainembodiments, the preliminary VPN tunnel may connect with the transactionnetwork 120. Accordingly, in such embodiments, the security engine 177need not establish a different tunnel.

FIG. 2 is a block diagram illustrating details of the security engine177, in accordance with an embodiment of the present invention. Thesecurity engine 177 includes a security manager 210, a start/stoptrigger module 215, an application lockout module 220, a network/fileI/O control module 225, a trusted driver manager 230, a keystrokesgenerator driver 235, a keystrokes deletion hook 240, a security profilemanager 245, and a transaction network VPN manager 250.

The security manager 210 includes hardware, software and/or firmware tomanage the execution of and interaction between the various componentsof the security engine 177. The start/stop trigger module 215 includeshardware, software and/or firmware to determine where and when dataprotection is needed. The application lockout module 220 includeshardware, software and/or firmware to effectively suspend otherapplications not needed during the online transaction (e.g., AuthentiumTrusted Security Extensions, SecureWave Sanctuary, and/or the like). Thenetwork/file I/O control module 225 includes hardware, software and/orfirmware to prevent network and/or file I/O by other applications, e.g.,by other applications that cannot be suspended. The trusted drivermanager 230 includes hardware, software and/or firmware to determinewhether device drivers, e.g., the keyboard input driver, on the end-userdevice 105 can be trusted. The keystrokes generator driver 235 includeshardware, software and/or firmware to generate additional keystrokesand/or replace keystrokes generated by the keyboard input driver 140,e.g., to input fake keystrokes in a keyboard input pattern. Thekeystrokes deletion hook 240 includes hardware, software and/or firmwareto remove the additional keystrokes and/or replace the originalkeystrokes generated by the keyboard input driver 140, e.g., toregenerate the original keyboard input pattern modified by thekeystrokes generator driver 235. The security profile manager 245includes hardware, software and/or firmware to replace and/or update thesecurity profiles 180. The transaction network VPN manager 250 includeshardware, software and/or firmware to establish a VPN tunnel with thetransaction network 120.

It will be appreciated that one method of security leaks of confidentialdata (e.g., userid, password, credit card number, visual login screen,etc.) require the data to be locally captured and network transmitted.Thus, in some embodiments, instead of focusing on updating traditionalanti-virus/anti-spyware with the latest security protection, theapplication lockout module 220 treats all applications not explicitlyneeded to use the transaction network 120 as a security threat anddisables them for the duration of the online transaction. For example,during the online transaction, the application lockout module 220 allowsonly the browser 135 and browser-helper applications (e.g., PDF reader)to continue normal execution, while effectively suspending all otherapplications 145 (regardless of whether they are benign or malevolent).Optionally, the application lockout module 220 could permanentlyterminate (instead of temporarily suspend) well-known spyware orTrojans.

Depending on the OS and applications control component features, it ispossible for the application lockout module 220 in a first stage tosuspend unrequired applications 145 by placing them into backgroundmode, by preventing OS event (e.g., Microsoft windows event messages)from being received by these applications 145, by intercepting allkeyboard and mouse operations to these applications 145, and/or thelike. Further, in a second stage, the application lockout module 220 maystop new applications or processes from being executed, e.g., to preventchanges to the security engine 177 and/or security profiles 180 duringthe transaction. Thus, unrequired or infected applications that bypassthe first stage of protection cannot create another process to captureconfidential information or disable the security software.

In some embodiments, it might not be technically possible for theapplication lockout module 220 to suspend all unrequired applications145 and OS processes (e.g., the OS timer), as such might createunintended side effects (e.g., application crashes). When an application145 cannot be suspended, the network/file I/O control module 225 mayprovide a second level of global security. The network/file I/O controlmodule 225 effectively prevents information leakage by these unrequiredapplications 145. Since unrequired applications 145 need to store and/ortransmit the captured information, preventing file I/O operations and/ornetwork I/O transmissions can stop permanent storage and/or transfer ofthe data. Thus, even if the information is captured by the maliciouscode, no one can obtain the compromised data. In the extreme case, ifthe leaked information is cached in memory, rebooting the OS would clearthe data. The network/file I/O control module 225 can deny writeattempts to all files/directories or the OS registry not required by thebrowser 135. Using a VPN tunnel may prevent the confidential data frombeing sent to the Internet by spyware, Trojans, or the like.

Embodiments of the invention attempt to enforce protection and/orapplication/network lockout on demand during a secured data exchangesession with less user disruption. Traditional end-point protectionand/or lockout solutions, e.g., SecureWave, Bit9, etc., apply fullprotection or lockout of the end-user device 105 to ensure that onlyvalid or authorized applications are allowed to run. However, thisapproach is intrusive and disruptive to the end user, who loses thecapability to perform normal computing tasks. Embodiments of theinvention achieve protection and/or lockout by determining interactionpoints where and when important sensitive information is being sent toand/or received by the user; by activating end-point protection and/orlockout mechanisms only during these sensitive interaction points; andby de-activating protection and/or lockout outside these interactionpoints where and when the user is doing things that do not compromisesecurity.

The start/stop trigger module 215 determines the interaction pointsduring a user's data exchange session where and when sensitive dataneeds protection. The start/stop trigger module 215 generates aSensitive_Start flag when sensitive information is present, e.g., whensensitive information is about to be sent, sensitive data is about to bereceived, sensitive data is about to be displayed, combinations of thesepoints, etc. The start/stop trigger module 215 generates aSensitive_Stop flag when no sensitive information is present, e.g., whenno sensitive data is being sent, received, displayed, etc.

These flags activate or de-activate end-point protection and/or lockoutmechanisms by the application lockout module 220 and/or network/file I/Ocontrol module 225 in a more granular manner, which is less intrusive tothe end user. For example, assuming the security software is deployed toprotect a payment transaction performed on Paypal, the start/stoptrigger module 215 could determine when the user's keyboard focus is onthe Paypal browser instance, e.g., the user is likely to be sendingsensitive login credentials or credit card information to complete thepayment, or when any part of the Paypal browser is visible, e.g.,personal Paypal user information or transaction data may be displayed.Full security protection may be enforced when this event is detected.

If the user opens a word documents for editing, the start/stop triggermodule 215 may issue a Sensitive_Stop flag, e.g., when it determinesthat the Paypal browser 135 that it is protecting no longer has keyboardfocus (such that no sensitive information meant for Paypal can becaptured by keyloggers), or when it determines that the Paypal browser135 no longer has window focus and no visible area is shown (such thatno sensitive personal information related to Paypal can be capturedthrough screen capturing software). Thus, security mechanisms can beturned off when this even occurs.

The timing for the start/stop trigger module 215 to issueSensitive_Start and Sensitive_Stop flags can be further customized andrefined to fit various security levels for various applications. Forexample, it may be deemed important to protect the user's logincredentials only for an online gaming application and not the gamingscreen. Therefore, the Sensitive_Start and Sensitive_Stop flagrequirement can be refined to detect only keyboard focus acquired orlost in the gaming application, and not to require detection of windowfocus.

In certain embodiments, the start/stop trigger module 215 may listen fora window-focus loss event of the protected application and may minimizethe protected application's window. Then, the start/stop trigger module215 may trigger the Sensitive_Stop event, since it is certain that theprotected area is not visible when minimized.

As an enhancement to achieve transparent and seamless end-pointprotection, current end-point protection and/or lockout mechanisms onthe end-user device 105 may need to be modified to support fast andon-demand activation and de-activation. Working in collaboration withthe start/stop trigger module 215, a fast-switching engine may provideseamless transition when switching between a protected application and anon-protected application. End-point protection may be turned on quicklywhen the user is working on the protected application and may be turnedoff quickly when the user switches to a non-protected application. Toachieve fast switching, traditional techniques like network tunnelpre-establishment or keep-alive and application pre-loading of theend-point protection process can be used. In one embodiment, thepre-establishment and pre-loading can be done when the OS starts upand/or when the end-point protection mechanism is first activated. Thecorresponding cleanup can be done when the last protected application isclosed and/or when the OS shutdown.

An example process incorporating start/stop triggers includes:

(1) The end user boots up computer and launches messaging software likeMSN and skype.

(2) The end user opens a browser 135 session, and activates theconnection agent 130 to access his Internet Banking site (e.g.,Citibank), which has implemented TNT security software, to transferfunds to his friend.

(3) The connection agent 130 establishes a secure data exchange to theCitibank site.

(4) An install agent 182, e.g., Citibank ActiveX object, is downloadedand loaded into memory.

(5) The install agent 182 downloads and installs the security engine 177and/or security profiles 180.

(6) The start/stop trigger module 215 determines that the CitibankWebpage is in focus, issues a Sensitive_Start flag, and activates thesecurity engine 177. All traffic goes through the compulsory non-hijacktunnel and other applications are blocked. The MSN and skype connectionsbreak during this stage.

(7) The end user logs securely into the Citibank Internet banking siteand his login credentials are protected by the security engine 177.

(8) Before completing the fund transfer transaction, the end userswitches to his MSN application to chat with his friend to confirm theamount of transfer.

(9) Since focus is lost from the Citibank Internet banking site, thestart/stop trigger module 215 detects the window focus loss event,minimizes the Citibank browser 135 session, issues the Sensitive_Stopflag, and disables the security engine 177. Thus, traffic is allowed togo through the original route and not the compulsory tunnel. Further,application blocking is turned off.

(10) MSN detects network connectivity and reconnects, allowing the enduser to chat with his friend.

(11) The end user launches his Excel application and updates his dailyexpenses spreadsheet.

(12) The end user switches back to the Citibank website. The start/stoptrigger module 215 notes the Sensitive_Start flag and re-enables thesecurity engine 177. The MSN and skype connections break again.

(13) The end user completes the fund-transfer transaction and closes theCitibank browser 135 session.

(14) The security engine 177 and/or security profiles 180 are unloadedfrom memory.

It will be appreciated that traditional keylogger protection mechanismsemploy anti-virus detection logic to find and remove resident keyloggerson the end-user device. Unlike computer virus or worms, keyloggers ontheir own do not attempt to propagate, making keyloggers hard to detector block using heuristics. Generally, keyloggers hook onto processesavailable in the end-user device operating system to capture but notmodify keystrokes entered by the end user using any keyboard inputdevice or software (e.g., visual keyboard). In certain embodiments, asan alternative approach, the trusted driver manager 230 allows residentintended or unintended keyloggers to continue execution, but renders thekeylogging operation ineffective when necessary.

In certain embodiments, the keyboard input device driver 140 must betrusted. The trusted driver manager 230 validates the current driver 140by comparing a secure ID, a secure hash, and/or the like against a listof trusted and/or untrusted keyboard input secure drivers, IDs, hashes,and/or the like. When the keyboard input device driver 140 is unknown,i.e., not in the list of trusted and/or untrusted drivers, the trusteddriver manager 230 can temporarily or permanently replace the unknowndriver 140 with a trusted driver, possibly only for the duration of thedata exchange session.

In certain embodiments, resident keyloggers may capture keystrokes fromany available OSI level beginning from keyboard input device driver 140to the user space application 145. Since keyloggers invisibly andpassively capture keystrokes, it is reasonable to assume that thekeyloggers (unlike the end user, end user application or remoteapplication) cannot differentiate valid or invalid keystrokes fromkeyboard input devices. Accordingly, the keystrokes generator driver 235an modify the sequence of end user supplied keystrokes. The modifiedpattern can be application sensitive, such that it is only generatedwhen specific applications that require keylogger protection are active.

The keyboard data exchange end-point protection may follow one ofvarious implementation models, e.g., a standalone keystrokes generatordriver 235 with application monitoring hook 250 (standalone mode); or adual keystrokes generator driver 235 and keystrokes deletion hook 240with optional application monitoring hook 250 (producer consumer mode).

In standalone mode, the keystrokes generator driver 235 generates fakekeystrokes when the keystrokes input by the end user need to beprotected. For example, the keystrokes generator driver 235 can generateinvalid keystrokes such as non-existent application shortcut menuoptions that will be silently dropped by the browser 135 whenconfidential data is input by the end user. The application monitoringhook 250, which in one embodiment may be part of the start/stop triggermodule 215, determines when the keystrokes input by the end user need tobe protected based on the current application status receiving thekeystrokes. A non-exhaustive list of relevant application statusinformation includes the application process name, current active textinput frame (e.g., application configuration input or user specific datainput), valid and invalid application keystrokes, etc. In oneembodiment, the keystrokes generator driver 235 determines thekeystrokes to generate. In another embodiment, the applicationmonitoring hook 250 analyzes the application status and determine thekeystrokes for the keystrokes generator driver 235 to generate.

In producer consumer mode, the keystrokes generator driver 235 andkeystrokes deletion hook 240 control keystroke generation and deletion.In one embodiment, the keystrokes generator driver 235 may embedidentification of the fake keystrokes within the keystrokes data flow(inband mode), may be managed by an external controller such as theapplication monitoring hook 250 (outband mode), or may employ acombination of inband and outband controls. The keystrokes deletion hook140 can be implemented as an OS hook or application-specific plug-ininstalled at the last possible level of the keyboard input processingflow shown in FIG. 6. The execution point of the keystrokes deletionhook 240 is operatively contradictory to keyloggers implementationrequirement, which attempts to be at the earliest input processing flowclosest to avoid being circumvented. The keystrokes deletion hook 240deletes fake keystrokes generated by the keystrokes generator driver235, before the fake keystrokes are processed by the protected end-userapplications.

For keyloggers requiring local or remote keystrokes disk storage withlimited keystrokes memory buffer, I/O blocking logic (possibly combinedwith either or both of the above mentioned approaches) can cause suchkeyloggers to lose keystrokes data or malfunction. One example processincludes:

(1) Start I/O blocking

(2) Before the end user inputs confidential data, the keystrokesgenerator driver 235 generates fake keystrokes to fill up keyloggerslimited memory buffer or causes the keyloggers to lose data.

(3) After the end inputs confidential data, the keystrokes generatordriver 235 generates fake keystrokes to overwrite any keyloggers limitedmemory buffer or causes the keyloggers to lose data.

(4) Stop I/O blocking.

It will be appreciated that VPN tunneling is a well-established conceptused to authenticate access to a remote network with private resources,to provision access to the remote network with the private resources,and to secure the confidentiality and integrity of the private dataexchanged between the end-user device and the remote network. VPNtunneling can also indirectly prevent access to other public resourcesoriginally accessible to the end-user device. Further, VPN tunneling maybe used for server authentication (authenticating the transactionnetwork 120) and for client authentication (authenticating the end-userdevice 105). VPN tunnel encryption indirectly prevents tunnel hijacking,since encrypted data cannot be spoofed. VPN tunneling may be used toallow access to a predetermined set of resources without requiringnetwork revamp. This predetermined set of resources can be a combinationof public resources (e.g., resources the end-user device 105 canremotely access before the VPN tunnel is established) and privateresources (resourced that the end-user device 105 can only access afterthe VPN tunnel is established).

For certain embodiments of the invention, a VPN may be valued toauthenticate the remote network, to provision access to theauthenticated remote network resources, to prevent access to all otherremote resources outside the authenticated remote network, and to ensurethe integrity of the data exchanged between the two end-points (theend-user device and the authenticated remote network).

To authenticate the remote network, the connection agent 130 and/ortransaction network VPN manager 250 may authenticate the remote network(e.g., the transaction network 120) using any predefined direct orindirect trust relationship. Authentication can be achieved indirectlyusing existing public key infrastructure (PKI) mechanisms or directlyusing a predefined secret key.

To ensure the integrity of the data exchanged, after the authenticationphase, the connection agent 130 and/or transaction network VPN manager250 may employ a key exchange process with the authentication router,e.g., using Diffie-Hellman key exchange. This key exchange process maybe integrated with the authentication process as a single phase, e.g.Perfect Forward Secrecy. The transaction network 120 may use theephemeral key negotiated by the key exchange process to ensure dataintegrity between the two end-points, to verify data integrity receivedfrom the end-user device 105, and/or to generate message authenticationcode for the data sent from the remote network to the end-user device105, e.g. Message-Digest algorithm 5. The same reverse logic applies tothe connection agent 130 and/or transaction network VPN manager 250. Themessage authentication code can be inband (part of the data exchange,e.g. IPSEC Authentication Header) or outband (e.g., using a differentcommunication channel).

Tunneling, authentication and data integrity verification can bedecoupled in implementation, i.e., they may be performed by independententities. For example, the VPN tunnel can be established between theend-user device 105 and a hardware-based dedicated tunneling router.Authentication may be performed between the end-user device 105 and aserver behind the tunneling router. Since in one embodiment tunnelinginvolves only encapsulation and decapsulation, a dedicated tunnelingrouter can perform it efficiently. If traffic integrity checking isperformed inband of the tunnel, then, based on the source and thedestination IP address of the traffic with message authentication code,the tunneling router could route or load balance the traffic todifferent authentication servers to perform data integrity checking.

To prevent access to remote resources, the connection agent 130 and/orVPN manager 250 may establish a compulsory tunnel from the end-userdevice 105 to the transaction network 120. Conversely, traffic from thetransaction network 120 to the end-user device 105 need not necessarilybe tunneled. To provide access to authenticated resources and to preventaccess to all other remote resources, a bi-directional or unidirectionaltunnel may be used, a virtual IP may be allocated to the end-user device105, and/or ingress or egress filtering may be used.

If a virtual IP is allocated to each end-user device 105 to access theremote network resources, all end-user devices 105 can be grouped undera common pool of IP addresses. As illustrated in FIG. 7, ingressfiltering of these virtual IP addresses can be used to prevent data fromthe end-user devices 105 from being routed out of the authenticatedremote network. Ingress filtering may not be possible if a uniquelyidentifiable virtual IP address pool is not allocated. In the case whereingress filtering is not possible, egress filtering can be done afterthe tunnel decapsulation router to ensure that only resources within theauthenticated network are accessible.

There may be one or more default routers for the pool of virtual IPaddresses. All data sent to these virtual IP address may be routed tothese default routers. Bi-directional tunneling may be used if a virtualIP address is allocated, because the virtual IP address is only routablewithin the remote network. An exception may be employed when the virtualIP address used is a publicly routable IP address belonging to theend-user device 105. When bi-directional tunneling is employed, thevirtual IP addresses default routers can encapsulate the data from theremote network back to the end-user device 105. Unlike the tunneldecapsulation router that is stateless, the default routers can maintainthe tunnel state information. The tunnel state information may includethe WAN IP to virtual IP association of the end-user device 105, toencapsulate and tunnel data back to the end-user device 105. The expiryof the tunnel state information may be effected via keep-alive messagessent from the connection agent 130 directly or indirectly to the defaultrouter(s).

In one embodiment, tunneling protocols can reuse the IP address of theend-user device 105 for both the tunnel IP header (traffic between theend-user device 105 and the decapsulation router) and the application IPheader (traffic between the end-user device 105 and the remote networkresources). If the tunneling protocol can reuse the IP address of theend-user device 105 for both tunneling and application communication,virtual IP provisioning by the remote network may be unnecessary. Ifcomputing device IP address reuse is not automatic, the remote networkmay use the virtual IP provisioning mechanism to decide if a localizedvirtual IP may be used for application communication or allocate thecomputing device IP address as the virtual IP.

The remote network virtual IP provisioning system may determine if theend-user device 105 is behind a Network Address Translation (NAT) orNetwork Address and Port Translation (NAPT) router, to determine whatapplication communication IP address and tunneling protocol to use. Byreusing the IP address of the end-user device 105 instead of a localizedvirtual IP for the tunnel IP header, bi-directional tunneling can beavoided. The application traffic from the remote network resources maybe sent directly to the end-user device 105. Thus, virtual IP defaultrouter(s) to encapsulate the return traffic may be necessary.

If the end-user device is behind a NAT or NAPT router, a unidirectionaltransport level tunneling protocol that is NAT and NAPT friendly may beused. Instead of having both a tunnel IP header and an application IPheader, there may be only one IP header. The unidirectional transportlevel tunneling protocol may be intended for application traffic fromthe end-user device 105 to the remote network decapsulation router.

An example tunneling encapsulation procedure is provided as follows:

(1) The end-user device 105 generates application data and applicationIP header (i.e., an application IP datagram).

(2) The application IP datagram is sent to the tunneling driver.

(3) The tunneling driver inserts the original destination IP address inthe transport header field (e.g., the TCP option field) or between thetransport header and the application payload.

(4) The tunneling driver replaces the destination IP address with the IPaddress of the remote network decapsulation router.

(5) The tunneling driver may set the IP header type-of-service field toindicate the datagram is encapsulated.

(6) The tunneling driver adjusts the IP header total length andre-computes the IP header checksum.

(7) The encapsulated IP datagram is transmitted.

An example tunneling decapsulation procedure is as follows:

(1) The decapsulation router checks if the datagram is encapsulated,e.g., checks the IP header type-of-service field or TCP option field.

(2) If the datagram is encapsulated, the decapsulation router replacesthe destination IP address with the original embedded applicationdestination IP address.

(3) The embedded application destination IP address may or may not beremoved by the decapsulation router.

(4) The decapsulation router re-computes the IP header checksum andadjusts the IP header total length if necessary.

(5) The decapsulated IP datagram is transmitted.

Embodiments of the tunneling protocol achieve functionality similar toTCP or UDP port forwarding, without the need for the decapsulationrouter to keep state or port to IP address mapping configurationinformation. Such information is encapsulated in the tunneled datagram.

If the remote network provisioning system can verify that the trafficfrom the end-user device 105 will not be NATed, standard tunnelingprotocols (e.g., GRE, IP-in-IP, etc.) can be used. The IP of theend-user device 105 can be reused for both the tunnel IP header andapplication IP header using standard tunneling protocol. The tunneledtraffic can be decapsulated by standard routers and the remote networkresources can directly reply to the end-user device 105 withoutbi-directional tunneling.

Embodiments of the invention enable application-specific encryption(e.g., HTTPS) to be used in conjunction with the tunneling mechanismdescribed herein to ensure privacy of confidential data. That is, therecan be a combination of encrypted and unencrypted data exchange throughthe tunnel. This reduces encryption and decryption overhead to onlyconfidential data, instead of maintaining encryption and decryptionoverhead for all data in a VPN architecture.

FIG. 3 is a block diagram illustrating a network system 300 operative toeffect a trusted network transaction (TNT) with an Internet bankingportal, in accordance with an embodiment of the present invention.

As shown, in step 1, the end user accesses his original Internet bankingportal URL via a browser 135 installed on an insecure end-user device105.

In step 2, the existing Internet banking login page detects whether theend user's browser 135 is capable of supporting TNT, e.g., supportsActiveX controls. If so, the Internet server 315 displays the Internetbanking login page with an additional “button” for the end user toselectively enable TNT security. If the end-user device 105 cannotsupport TNT, then the original Internet banking login page is displayedwithout the TNT button.

In step 3, the end user clicks on the TNT button, which causes theInternet banking server 315 to download the install agent 182, e.g., anActiveX control, to the end-user device 105. The end-user device 105confirms that the install agent 182 is digitally signed by the bank,which is a trusted party by the end-user device 105. The end-user device105 allows the trusted install agent 182 to execute.

In step 4, the install agent 182 establishes a VPN tunnel to apredefined VPN server 320 in the banking server farm 310 and establishespredefined VPN authentication credentials. After the VPN tunnel isestablished, all network traffic from the end-user device 105 is sent tothe VPN server 320. That is, the end-user device 105 is disconnectedfrom the rest of the Internet. The VPN server 320 (or a firewall)manages network resources accessible by the end-user device 105. Thatis, only network resources (e.g., the Internet banking web site)required for Internet banking transactions are made accessible to theend-user device 105.

In step 5, the security engine 177 is downloaded over the VPN. Armedwith the security engine 177, an application lockout module 220 may beused to suspend applications not required for the Internet bankingtransaction and to prevent new applications from being executed.

In step 6, after the end user completes all Internet bankingtransactions and requests logout, the install agent 182 may bedownloaded again. The install agent 182 detects the previously existingactive TNT session, removes the security engine 177, and terminates theVPN tunnel before ending the install agent 182 process.

FIG. 4 is a block diagram illustrating a network system 400 operative toeffect a TNT by an end-user device 405 with a banking portal, the TNTbeing managed by the end user's ISP network 440, in accordance with anembodiment of the present invention. In one embodiment, the end user'sISP network 440 may provide TNT protection for multiple transactionsites 120. The network system includes the ISP network 440 coupled viathe Internet 450 to a banking server farm 445. The ISP network 440includes the end-user device 405 coupled via an intranet 435 to an ISPserver 410, to a VPN server 415, and to a VPN router 420. The bankingserver farm 445 includes a banking server 425 and a VPN router 430. TheVPN router 420 of the ISP network 440 is coupled to the VPN router ofthe banking server farm 445 via the Internet 450.

In step 1, the end-user device 405 accesses the banking server 425 via asoftware application, e.g., the connection agent 130, that enables theuser to select from multiple specific URLs of TNT-enabled sites 120.Upon selection of a URL, the software application is configured todirect the browser 135 to the selected URL. The list of specific URLsmay be installed on the end-user device 405 by the ISP 410 or may beavailable on the portal page of the ISP 410. Alternatively, the end-userdevice 405 may navigate directly to the banking server 425, possibly viaa TNT “button” from the site presented by the ISP server 410.

In step 2, the end user selects the URL of the transaction network 120to access with TNT protection. The connection agent 130 establishes apreliminary VPN with the ISP server 410. The install agent 182 isdownloaded from the ISP server 410 (or other trusted source dedicated tosupporting TNT for the banking site 425). The end-user device 405 isinformed that the install agent 182 is digitally signed by the ISPserver 410, which is a trusted by the end-user device 405. The end-userdevice 405 allows the install agent 182 to execute. The install agent182 may be embedded with the latest IP addresses of the TNT-enabledsites or VPN servers (independent of DNS updates propagation delays orDNS security risks). The OS host file of the end-user device 105 may beupdated by the install agent 182 with the IP addresses to prevent URLredirection for TNT protected sites due to DNS poisoning. Any changes tothe TNT-managed IP addresses may be controlled by the ISP server 410. Atransaction network 120, e.g., banking server 425, informs the ISPserver 410 whenever changes in the IP addresses of web servers occur(instead of depending on Internet DNS updates).

In step 3, the install agent 182 establishes a VPN tunnel to the VPNserver 415 using predefined VPN authentication credentials specified inthe ISP server's web page (from the URL selected in Step 2). The VPNauthentication credentials can be uniquely created from each TNT sessionto associate the specific end-user device 405 to access the bankingserver 425, even if the end-user device 405 is hidden behind an NATrouter. For example, the VPN login userid could be the subscriber ISPuserid+end-user device 105 MAC address or computer name (detected by theTNT ActiveX control)+target TNT site. This allows the ISP server 410 totrack down the actual end-user device 405 performing online TNTtransactions if there is any audit requirements or to “blacklist” anend-user device 105 (instead of the end user who can continuously changehis login credentials) that regularly posts false offers for onlineauctions web sites, etc.

In step 4, after the temp VPN tunnel is established, all network trafficfrom the end-user device 405 is sent to the VPN server 415. That is, theend-user device 405 is disconnected from the rest of the Internet. TheVPN server 415 (or a firewall) within the ISP network 440 manages thenetwork resources accessible by the end-user device 405. That is, onlynetwork resources (e.g., the banking server 425) required for theInternet banking transactions are made accessible.

In step 5, the security engine 177 and/or security profiles 180 aredownloaded, installed and executed. Using the application lockoutmodule, the security engine 177 blocks applications not required for theInternet banking transactions and prevents new applications from beingexecuted. Other TNT protection mechanisms may also be used. Thetransaction network VPN manager 250 establishes a VPN tunnel with theVPN server 415.

In step 6, the VPN server 415 is deployed. To ensure network securityover the Internet 450 from the ISP network 440 to the banking server425, a permanent VPN tunnel may be established between the ISP network440 and the banking server 425, e.g., using the ISP-managed VPN router420 and the bank-managed VPN router 430. This ensures that intermediateInternet routers between the ISP network 440 and the banking server 425cannot hijack traffic to and/or from the end-user device 405. This alsoallows the banking server 425 to manage additional network securitypolicies within their own network on top of those provided by the ISPnetwork 440.

In step 7, after the end user completes his Internet bankingtransactions and requests logout, the install agent 182 is downloadedagain from the ISP server 410. The install agent 182 detects theprevious existing active TNT session, removes the security engine 177,and terminates the VPN tunnel before ending the install agent 182process.

Combinations of the various techniques described in this invention couldbe used in an actual deployment of TNT. Various alternativetechnologies, e.g., a Java applet instead of Microsoft ActiveX, SSLinstead of PPTP VPN tunnel, etc., can be used.

FIG. 5 is a block diagram illustrating a network system 500 operative toeffect security engine installation, in accordance with an embodiment ofthe present invention.

In step 1, the connection agent 130 uses a pre-configured andunchangeable network address to contact a secure network addressresolution service 520 to obtain the network address of a trusted sourceof the security engine 515 or a list of trusted sources. For example, anIP address of a trusted DNS security extensions (DNSSEC) server 520 maybe pre-configured in the connection agent 130.

In step 2, the connection agent 130 uses this IP address to connect tothe DNSSEC server 520 to resolve the domain name of the trusted sourceto an IP address. In another embodiment, the DNSSEC server 520 maydownload a list of approved sites, from which the end-user device 505may select a URL of the trusted source of the security engine 515.

In step 3, using the network address of the trusted source, theconnection agent 130 establishes a secure data exchange with the trustedsource, preventing network traffic from the end-user device 105 frombeing misdirected to untrusted sources and guarding against other formsof network intrusion and attacks. For example, in a TCP/IP network, inconnection agent 130 may use the resolved IP address to connect to thetrusted source, e.g., via a secure tunnel. This connection techniqueensures that the network address is accurate (e.g., not poisoned by aDNS attack), and assures that the end-user device 105 connects to theintended trusted source. Further communication protocols employed in thesecure network address resolution service 520 ensures that communicationto and from the end-user device 105 is authenticated, authoritative andaccurate.

In step 4, with a secure exchange established, the end-user device 105downloads the security engine 515, e.g., using protocols like HTTP orFTP. The secure tunnel established by the connection agent 130 ensuresthat data traffic between the end-user device 105 and the trusted sourceis secure and cannot be compromised, even when insecure protocols likeHTTP and FTP are used.

In step 5, after delivery of the security engine 515, the end-userdevice 105 executes the security engine 515. The security engine 515effectively secures the end-user device 105, e.g., allows the end-userdevice 105 to communicate only with trusted transaction sties, e.g.,trusted remote network 535, prevents other applications 145 running onthe end-user device 105 from capturing or sending information,especially to untrusted sites, etc. The user can then access andinteract with the transaction sites in confidence.

FIG. 6 is a hierarchial level diagram illustrating keyboard-inputprocessing flow 600, in accordance with an embodiment of the presentinvention. Flow 600 is divided into physical space 605, kernel space610, and application space 615. In physical space 605, the end usermakes keystrokes on the keyboard at level 620. In kernel space 610, thetrusted keyboard driver receives keystrokes at level 625. The keystrokesgenerator driver resides and generates fake keystrokes at level 630. Thepotential untrusted keylogger driver captures keystrokes at level 620 orthereafter. In application space 615, a potential untrusted keyloggerhook potentially captures keystrokes at level 640. The keystrokesdeletion hook removes fake keystrokes at level 645. The applicationreceives the cleaned keystroke pattern at level 650. Somewhere betweenlevel 630 in kernel space and level 645 in application space 615, anapplication monitoring hook, plugin and/or driver monitors applicationstatus, and possibly feeds information to the keystrokes generatordriver at level 630.

FIG. 7 is a block diagram illustrating a network system 700 operative toeffect tunnel datagram processing, in accordance with an embodiment ofthe present invention. The embodiment uses standard GRE and IPsec AHmechanisms to illustrate the tunneling mechanism. Embodiments of theinvention may be applicable to other combinations of tunneling and dataintegrity protocols.

It is assumed that a GRE tunnel has been established between theend-user device 705 and a GRE router 735. The tunneling driver adds anAH header to the IP packet generated by the computing device 705. The AHheader is used to authenticate with the authentication router 750 a or750 b. The IP packet with AH header is further encapsulated in a GREpacket before it is sent out.

The GRE packet is transferred through the GRE tunnel via the Internet710, until it reaches the GRE router 735. The GRE router 735decapsulates the GRE packet back to the IP packet with AH header.Further, based on the source and destination IP addresses, the GRErouter 735 routes the decapsulated packet to an authentication router750 a or 750 b.

Before the packet reaches the authentication router 750 a or 750 b, itpasses through a firewall 745, which performs egress filtering to ensurethat access only to intended resources is allowed and that access toforbidden resources is blocked.

Upon receiving the IP AH packet, the authentication router 750 a and 750b performs an authentication check to ensure that the packet comes fromthe computing device 705. It removes the AH header and routes the packetto the intended resources 720 a, 720 b or 720 c. That is, the packet isreturned back to the format as originally generated by the computerdevice 705.

The intended resource processes the packet and generates a reply to theauthentication router 750 a or 750 b.

The authentication router 750 a or 750 b adds an AH header to the replypacket. The AH header is used to authenticate any remote networkresources 720 a, 720 b or 720 c. The authentication router 750 a or 750b routes the new IP AH packet back to the GRE server 735.

The GRE router 735 encapsulates the reply packet and sends it back tothe end-user device 705 via the tunnel.

The tunneling driver on the end-user device 705 decapsulates the packetand verifies the AH header. If the AH header passes the check, thepacket is trusted as coming from the authenticated remote networkresources 720 a, 720 b or 720 c. The AH header is removed before thepacket is passed to the upper layer of the network stack for furtherprocessing. If the AH header fails the check, then a security measure istaken. The measure could include breaking the tunnel or alerting the enduser.

There are many other possible variation of the example described. Theauthentication server 750 a or 750 b can be moved outband of thecommunication between the end-user device 705 and the network resources720 a, 720 b or 720 c. The authentication server 750 a or 750 b cancommunicate with the GRE router 735 to retrieve a checksum of packetsreceived from the tunnel and can encrypt it with a private key whosepublic key is known to the tunneling software. The encrypted checksummay be transferred to the tunnel software regularly in a separatechannel so that the tunnel software is able to ensure that it iscommunicating with the actual remote network resource 720 a, 720 b or720 c.

Certain embodiments facilitate the use of data protection mechanisms tohave negligible demand on the end user and end-user device. In oneembodiment, the end user need only select the network softwareapplication that the end user wants to use to exchange data and thetrusted remote network with which the end user wishes to establish asecure data exchange session. After the data protection mechanism areenabled, the end user need not differentiate between trusted anduntrusted software and remote networks. Further, certain embodimentsenable minimal change to existing Internet banking or shopping sites,minimal TNT deployment effort, and minimal change to end user web siteusage experience.

FIG. 8 is a screen shot of a desktop 805 on an end-user device 105before spyware infection or spoofing attack.

FIG. 9 is a screen shot of the desktop 805 on an end-user device 105after spyware infection.

FIG. 10 is a screen shot of the desktop 805 of an end-user device 105with a window 1005 illustrating keylogger infection.

FIG. 11 is a screen shot of the desktop 805 on an end-user device 105with a window 1105 illustrating keystroke capture.

FIG. 12 is a screen shot of the desktop 805 on an end-user device 105before DNS poisoning.

FIG. 13 is a screen shot of the desktop 805 on an end-user device 105with a window 1305 illustrating a legitimate IP address in a DNS cachebefore DNS poisoning.

FIG. 14 is a screen shot of the desktop 105 on an end-user device 105with the window 1305 after DNS poisoning.

FIG. 15 is a screen shot of the desktop 805 on an end-user device 105with a window 1505 illustrating a spoofed IP address in the DNS cache,after DNS poisoning.

FIG. 16 is a screen shot of the desktop 805 on an end-user device 105with a browser window 1605 illustrating the spoofed site at the IPaddress of FIG. 15.

FIG. 17 is a screen shot of the desktop 805 on an end-user device 105with a browser window 1605 illustrating the spoofed site and with asecurity alert 1705.

FIG. 18 is a screen shot of the desktop 805 on an end-user device 105with a browser window 1605 illustrating the spoofed site and with aspoofed security certificate 1805.

FIG. 19 is a screen shot of the desktop 805 on an end-user device 105with a window 1905 illustrating keylogger infection and after DNSpoisoning but before protection by embodiments of the invention.

FIG. 20 is a screen shot of the desktop 805 on an end-user device 105with a window 2005 illustrating continuous pinging of the Yahoo websiteto evidence the availability of outbound communication.

FIG. 21 is a screen shot of the desktop 805 on an end-user device 105with a window 2105 illustrating that a download agent, e.g., an ActiveXcontrol, is being delivered to the end-user device.

FIG. 22 is a screen shot of the desktop 805 on an end-user device 105with a window 2205 illustrating that the download agent is beingexecuted and is establishing a VPN connection with a trusted source of asecurity engine 177.

FIG. 23 is a screen shot of the desktop 805 on an end-user device 105with a window 2305 illustrating that the download agent has establisheda VPN connection with the trusted source, has downloaded and installedthe security engine 177, and is presenting a button 2310 to navigate tothe legitimate banking site. Installation of the security engine 177enables network communication lockout, application lockout, drivermanagement, keystroke pattern modification, and like TNT mechanisms.

FIG. 24 is a screen shot of the desktop 805 on an end-user device 105with a window 2405 illustrating that the continuous pinging of the Yahoowebsite has stopped, evidencing that outbound communication has beensuspended.

FIG. 25 is a screen shot of the desktop 805 on an end-user device 105with a window 2505 illustrating the legitimate IP address of thelegitimate banking site.

FIG. 26 is a screen shot of the desktop 805 on an end-user device 105with a window 2605 illustrating application lockout.

FIG. 27 is a screen shot of the desktop 805 on an end-user device 105with the window 2305 illustrating the button 2310 to navigate to thelegitimate banking site.

FIG. 28 is a screen shot of the desktop 805 on an end-user device 105with a browser window 2805 illustrating the legitimate banking site.

FIG. 29 is a screen shot of the desktop 805 on an end-user device 105with the browser window 2805 and the legitimate banking site certificate2905 of the legitimate banking site.

FIG. 30 is a screen shot of the desktop 805 on an end-user device 105with the browser window 2805 of the legitimate banking site andillustrating that the keylogger is no longer active when the keyloggerreveal word, “frklg,” is typed in the address field 3005.

FIG. 31 is a screen shot of the desktop 805 on an end-user device 105with the browser window 2805 and after entry of confidential data intothe login window 3105, just before the security engine 177 isdeactivated and/or removed.

FIG. 32 is a screen shot of the desktop 805 on an end-user device 105with a window 3205 illustrating that outbound communication has resumed.

FIG. 33 is a screen shot of the desktop 805 on an end-user device 105with a window 3305 illustrating resumed vulnerability to the DNSpoisoning of the DNS cache.

FIG. 34 is a screen shot of the desktop 805 on an end-user device 105with a window 3405 illustrating that the security engine 177 protectedthe memory space from registering the browser window 2805.

FIG. 35 is a screen shot of the desktop 805 on an end-user device 105with a window 3505 illustrating that the keylogger infection has beenpermanently neutralized.

The foregoing description of the preferred embodiments of the presentinvention is by way of example only, and other variations andmodifications of the above-described embodiments and methods arepossible in light of the foregoing teaching. Although the network sitesare being described as separate and distinct sites, one skilled in theart will recognize that these sites may be a part of an integral site,may each include portions of multiple sites, or may include combinationsof single and multiple sites. The various embodiments set forth hereinmaybe implemented utilizing hardware, software, or any desiredcombination thereof. For that matter, any type of logic may be utilizedwhich is capable of implementing the various functions set forth herein.Components may be implemented using a programmed general-purpose digitalcomputer, using application specific integrated circuits, or using anetwork of interconnected conventional components and circuits.Connections may be wired, wireless, modem, etc. The embodimentsdescribed herein are not intended to be exhaustive or limiting. Thepresent invention is limited only by the following claims.

1. A system comprising: an end-user device including a browser and asecurity component capable of executing a security policy, the securitypolicy to be downloaded from a website, and a website including asecurity policy downloadable to the security component.
 2. The system ofclaim 1, wherein the security component downloads the security policyfrom the website upon connection to the website.
 3. The system of claim1, wherein the security component activates a security mechanism upondetection of a trigger point.
 4. The system of claim 3, wherein thetrigger point includes an explicit trigger point.
 5. The system of claim4, wherein the trigger point includes an implicit trigger point.
 6. Thesystem of claim 1, wherein the security component connects to thewebsite via a point-to-point tunnel before downloading the securitypolicy.
 7. The system of claim 1, wherein the website includes anintegrity checksum embedded in the website, and the security componentincludes a website integrity checker to use the integrity checksum toconfirm that the website has not been modified during transport.
 8. Thesystem of claim 1, wherein the security policy identifies alias andaffiliate servers where the browser may navigate without raisingconcern.
 9. A method comprising: using a browser to navigate to awebsite, the website including a downloadable security policy; and usinga security component to download the security policy from the websiteand to effect the security policy while navigating the website.
 10. Themethod of claim 9, wherein the using eh security component to downloadthe security policy from the website occurs upon connection to thewebsite.
 11. The method of claim 9, further comprising activating asecurity mechanism upon detection of a trigger point.
 12. The method ofclaim 11, wherein the trigger point includes an explicit trigger point.13. The method of claim 12, wherein the trigger point includes animplicit trigger point.
 14. The method of claim 9, further comprisingconnecting to the website via a point-to-point tunnel before downloadingthe security policy.
 15. The method of claim 9, wherein the websiteincludes an integrity checksum embedded in the website, and furthercomprising using the integrity checksum to confirm that the website hasnot been modified during transport.
 16. The method of claim 9, whereinthe security policy identifies alias and affiliate servers where thebrowser may navigate without raising concern.
 17. A system comprising;means for navigating to a website, the website including a downloadablesecurity policy; means for downloading the security policy from thewebsite; and means for effecting the security policy while navigatingthe website.